Table of Contents
Functioning as security consultants is hugely gratifying. Businesses count on us to look at their ecosystem from the perspective of an attacker and uncover vulnerabilities that could allow threats to thrive. A single of the most impactful elements of our purpose is when we’re the very first to come across a significant vulnerability that could lead to a popular compromise further than just our shopper.
That is what happened this year with the Cisco Unified Communications Supervisor (CUCM) IM & Presence equipment. We done an application penetration take a look at from it for just one of our consumers. Whilst accomplishing so, we found out an opening that could influence anyone who employs this equipment. Examine on to uncover out how we explored the merchandise, how we broke it and how to place it back jointly.
What Is the CUCM Solution?
The CUCM alternative is a middleware ingredient that makes it possible for enterprises to integrate their a variety of interaction devices and control them making use of a single platform. In quick, it unifies voice, video clip, knowledge and cellular purposes on preset and cell networks. Starting with the Cisco Unified Communications 9., the Cisco Unified Existence technologies is built-in in the CUCM. These days, most folks refer to this answer as the CUCM IM & Presence Company. Nearly each and every purchaser that makes use of the Cisco Jabber fast messaging software has the CUCM IM & Presence deployment.
During the pen take a look at, we first tried out to use the the very least feasible privilege to pinpoint the vulnerabilities that the least trusted customers can achieve. Then, we made a duplicate of the equipment in a lab ecosystem. Utilizing numerous reverse engineering techniques, we extracted the resource code of the net software utilized to handle the appliance.
By means of the two dynamic testing and investigation of the source code, we discovered the adhering to vulnerabilities:
- 3 x Structured Question Language (SQL) injection (CVE-2021-1355, CVE-2021-1364, CVE-2021-1282)
- SQL injection potential customers to arbitrary code execution (CVE-2021-1363, CVE-2021-1365)
- Route traversal (CVE-2021-1357)
- Cross-web-site scripting (CVE-2021-1407, CVE-2021-1408)
The main aim was to obtain vulnerabilities that attackers could exploit to elevate their privilege on the equipment. At 1st, our group managed to establish numerous SQL injection vulnerabilities, but the application had a defense module that filtered the consumer input. By inspecting this module, we discovered a weak spot in the module logic that we applied to bypass it. This permitted one particular to exploit three SQL injection vulnerabilities. An attacker could use this to extract delicate details from the application databases, which include the administrator password hash.
One particular of the SQL injections was chained with another vulnerability — an running method command injection vulnerability — to realize arbitrary code execution on the equipment. The chained assault could allow an attacker with small privileges on the equipment to escalate their privilege to root shell access. At that level, the attacker could have total management of the appliance, and the obtain could be made use of to transfer laterally inside the inner community and attack inner belongings and other people.
We also identified a community file browse vulnerability in just one of the application’s endpoints. This could allow an attacker to study any domestically obtainable file on the website server via the susceptible endpoint.
Finally, we found a way to bypass and evade software protection controls to exploit a number of mirrored cross-web-site scripting difficulties on several endpoints. An attacker could exploit this vulnerability by developing a ask for with an injected destructive payload in the vulnerable parameters and deceive the logged-in consumers to go to it.
The destructive payload injected by the attacker is executed within just the victim’s browser, in the context of that victim’s session. The destructive application lets the attacker to hijack the user session and redirect the sufferer to an attacker-controlled area or one more client-side attack. That may possibly be in-browser keylogging or undertaking arbitrary actions within the context of the software.
We also learned sensitive data disclosure in one particular of the software endpoints. This could make it possible for an authenticated attacker to disclose users’ hashed passwords, which could then be recovered working with a dictionary assault.
Shifting Laterally Via the Company
As a end result of these vulnerabilities, a lower-privileged user could elevate their privileges to the optimum level on the CUCM equipment. From there, they could obtain delicate info, manipulate sensitive configurations and put in malicious program on the equipment that monitors and records the communication amongst Cisco Jabber customers. An attacker could hijack logged-in consumer sessions or deceive customers to steal their credentials. On top of that, considering the fact that the software lets for code execution, an attacker could use it as a foothold inside of the network from which to shift laterally.
The Up coming Steps: Lessening the Threat of Compromise
So, what ought to you do about it? We propose you set up the most recent patch for the Cisco Unified Communications Products and solutions from the Cisco safety advisories. The patches for both of those the CUCM and the CUCM IM & Presence are revealed in the charts beneath. Links to the advisories are found in the References area.
A ongoing penetration tests plan can also help uncover and deal with these varieties of vulnerabilities. Find out more about X-Force Red’s penetration screening companies right here.
On July 21, 2021, X-Power Red will be web hosting a digital panel session about threats in opposition to and vulnerabilities exposing Online of Matters (IoT) units. The presenters will consist of IoT business leaders this sort of as the ioXt Alliance and Silicon Labs.
CUCM IM & Presence SQL injection vulnerability leads to arbitrary code execution:
CUCM IM & Existence SQL injection vulnerability prospects to local file disclosure and route traversal vulnerabilities:
CUCM cross-web site scripting vulnerability potential customers to attack on other appliance people: